Admin Denied ! Again

W

wutsitallabout

It's still happening. I've mentioned on this group before
about not being able to perform Admin tasks even though
logged on as the local built in Administrator (no domain),
at home, at work and other people I know as well. Tonight
I tried to view my security logs and was denied access to
do so. The message was.....

"Unable to complete the operation on "security log". A
required privilege is not held by the client".

I searched for the "winlogon.txt". I'm not sure if in
effect I'm looking at the security log, but here's what it
says.

I hope this makes sense to someone out there.

Thanks very much.
**********************************************************
----Configure User Rights...
Configure Administrators.
Error 1332: No mapping between account names and security
IDs was done.
Cannot find Administrators.
Configure S-1-5-32-551.
Configure S-1-5-32-547.
Configure S-1-5-32-545.
Configure S-1-1-0.
Configure S-1-5-21-1614895754-682003330-839522115-
501.
Configure S-1-5-32-544.
Configure S-1-5-21-1614895754-682003330-839522115-
1000.
Configure S-1-5-21-1614895754-682003330-839522115-
500.
Configure S-1-5-21-1614895754-682003330-839522115-
1002.

User Rights configuration completed with error.




I also looked at the application log. Geez I was allowed
to see that!.....

Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 9/15/2003
Time: 11:55:12 PM
User: N/A
Computer: JUICE
Description:
Security policies are propagated with warning. 0x534 : No
mapping between account names and security IDs was done.

For best results in resolving this event, log on with a
non-administrative account and search
http://support.microsoft.com for "troubleshooting 1202
events".
A user account in one or more Group policy objects (GPOs)
could not be resolved to a SID. This error is possibly
caused by a mistyped nor deleted user account referenced
in either the User Rights or Restricted Groups branch of a
GPO. To resolve this event, contact an administrator in
the domain to perform the following actions:

1.Identify accounts that could not be resolved to a SID:
From the command prompt, type: FIND /I "Cannot find" %
SYSTEMROOT%\Security\Logs\winlogon.log
The string following "Cannot find" in the FIND output
identifies the problem account names.
Example: Cannot find JohnDough.
In this case, the SID for username "JohnDough" could not
be determined. This most likely occurs because the account
was deleted, renamed, or is spelled differently
(e.g. "JohnDoe").

2.Identify the GPOs that contain the unresolvable account
name:
From the command prompt type FIND /I "JohnDough" %
SYSTEMROOT%\Security\templates\policies\gpt*.*
The output of the FIND command will resemble the
following:
---------- GPT00000.DOM
---------- GPT00001.DOM
SeRemoteShutdownPrivilege=JohnDough
This indicates that of all the GPO's being applied
to this machine, the unresolvable account exists only in
one GPO. Specifically, the cached GPO named GPT00001.DOM.
Now we need to determine the friendly name of this
GPO in the next step.

3. Locate the friendly names of each of the GPOs that
contain an unresolvable account name. These GPOs were
identified in the previous step.
From the command prompt, type: FIND /I "[Mapping]" %
SYSTEMROOT%\Security\Logs\winlogon.log
The string following "[Mapping] gpt0000?.dom =" in
the FIND output identifies the friendly names for all
GPO's being applied to this machine.
Example: [Mapping] gpt00001.dom = User Rights
Policy
In this case, the GPO that contains the
unresolvable account (gpt00001.dom) has a friendly name
of "User Rights Policy".

4. Remove unresolved accounts from each GPO that contains
an unresolvable account.
a. Start -> Run -> MMC.EXE
b. From the File menu select "Add/Remove Snap-in."
c. From the "Add/Remove Snap-in" dialog box
select "Add."
d. In the "Add Standalone Snap-in" dialog box
select "Group Policy" and click "Add"
e. In the "Select Group Policy Object" dialog box
click the "Browse" button.
f. On the "Browse for a Group Policy Object"
dialog box choose the "All" tab
g. Right click on the first policy identified in
step 3 and choose edit
h. Review each setting under Computer
Configuration/ Windows Settings/ Security Settings/ Local
Policies/ User Rights
Assignment or Computer Configuration/ Windows
Settings/ SecuritySettings/ Restricted Groups for accounts
identified in step 1.
i. Repeat steps 3g and 3h for all subsequent GPOs
identified in step 3.
 
J

JohnMo

RESOLUTION
To resolve this behavior, remove all references to the
Power Users group in the Local Security settings. Follow
these steps:

Click Start, point to Settings, and then click Control
Panel.
Double-click Administrative Tools, and then double-click
Local Security Policy.
Click Local Policies, and then click User Rights
Assignment.
Double-click each item under User Rights Assignments to
see whether the item contains the Power Users group. When
you find a policy item that contains the Power Users
group, click to clear the Power Users check box and then
click OK.
Restart the computer and review the Winlogon.log file and
Event Viewer to make sure that the error messages no
longer occur.
hth
-----Original Message-----
It's still happening. I've mentioned on this group before
about not being able to perform Admin tasks even though
logged on as the local built in Administrator (no domain),
at home, at work and other people I know as well. Tonight
I tried to view my security logs and was denied access to
do so. The message was.....

"Unable to complete the operation on "security log". A
required privilege is not held by the client".

I searched for the "winlogon.txt". I'm not sure if in
effect I'm looking at the security log, but here's what it
says.

I hope this makes sense to someone out there.

Thanks very much.
**********************************************************
----Configure User Rights...
Configure Administrators.
Error 1332: No mapping between account names and security
IDs was done.
Cannot find Administrators.
Configure S-1-5-32-551.
Configure S-1-5-32-547.
Configure S-1-5-32-545.
Configure S-1-1-0.
Configure S-1-5-21-1614895754-682003330-839522115-
501.
Configure S-1-5-32-544.
Configure S-1-5-21-1614895754-682003330-839522115-
1000.
Configure S-1-5-21-1614895754-682003330-839522115-
500.
Configure S-1-5-21-1614895754-682003330-839522115-
1002.

User Rights configuration completed with error.




I also looked at the application log. Geez I was allowed
to see that!.....

Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 9/15/2003
Time: 11:55:12 PM
User: N/A
Computer: JUICE
Description:
Security policies are propagated with warning. 0x534 : No
mapping between account names and security IDs was done.

For best results in resolving this event, log on with a
non-administrative account and search
http://support.microsoft.com for "troubleshooting 1202
events".
A user account in one or more Group policy objects (GPOs)
could not be resolved to a SID. This error is possibly
caused by a mistyped nor deleted user account referenced
in either the User Rights or Restricted Groups branch of a
GPO. To resolve this event, contact an administrator in
the domain to perform the following actions:

1.Identify accounts that could not be resolved to a SID:
From the command prompt, type: FIND /I "Cannot find" %
SYSTEMROOT%\Security\Logs\winlogon.log
The string following "Cannot find" in the FIND output
identifies the problem account names.
Example: Cannot find JohnDough.
In this case, the SID for username "JohnDough" could not
be determined. This most likely occurs because the account
was deleted, renamed, or is spelled differently
(e.g. "JohnDoe").

2.Identify the GPOs that contain the unresolvable account
name:
From the command prompt type FIND /I "JohnDough" %
SYSTEMROOT%\Security\templates\policies\gpt*.*
The output of the FIND command will resemble the
following:
---------- GPT00000.DOM
---------- GPT00001.DOM
SeRemoteShutdownPrivilege=JohnDough
This indicates that of all the GPO's being applied
to this machine, the unresolvable account exists only in
one GPO. Specifically, the cached GPO named GPT00001.DOM.
Now we need to determine the friendly name of this
GPO in the next step.

3. Locate the friendly names of each of the GPOs that
contain an unresolvable account name. These GPOs were
identified in the previous step.
From the command prompt, type: FIND /I "[Mapping]" %
SYSTEMROOT%\Security\Logs\winlogon.log
The string following "[Mapping] gpt0000?.dom =" in
the FIND output identifies the friendly names for all
GPO's being applied to this machine.
Example: [Mapping] gpt00001.dom = User Rights
Policy
In this case, the GPO that contains the
unresolvable account (gpt00001.dom) has a friendly name
of "User Rights Policy".

4. Remove unresolved accounts from each GPO that contains
an unresolvable account.
a. Start -> Run -> MMC.EXE
b. From the File menu select "Add/Remove Snap-in."
c. From the "Add/Remove Snap-in" dialog box
select "Add."
d. In the "Add Standalone Snap-in" dialog box
select "Group Policy" and click "Add"
e. In the "Select Group Policy Object" dialog box
click the "Browse" button.
f. On the "Browse for a Group Policy Object"
dialog box choose the "All" tab
g. Right click on the first policy identified in
step 3 and choose edit
h. Review each setting under Computer
Configuration/ Windows Settings/ Security Settings/ Local
Policies/ User Rights
Assignment or Computer Configuration/ Windows
Settings/ SecuritySettings/ Restricted Groups for accounts
identified in step 1.
i. Repeat steps 3g and 3h for all subsequent GPOs
identified in step 3.




.
Click to expand...
 
W

wutsitallabout

Would you mind explaining what effect this has in general
and what is has to do with admin privileges? I'm not
trying to be smart, I appreciate your answer. I just need
to understand. I have no users in the power users group.
I am the only user on this machine and I am the built in
renamed admin.

Thanks

-----Original Message-----
RESOLUTION
To resolve this behavior, remove all references to the
Power Users group in the Local Security settings. Follow
these steps:

Click Start, point to Settings, and then click Control
Panel.
Double-click Administrative Tools, and then double-click
Local Security Policy.
Click Local Policies, and then click User Rights
Assignment.
Double-click each item under User Rights Assignments to
see whether the item contains the Power Users group. When
you find a policy item that contains the Power Users
group, click to clear the Power Users check box and then
click OK.
Restart the computer and review the Winlogon.log file and
Event Viewer to make sure that the error messages no
longer occur.
hth
-----Original Message-----
It's still happening. I've mentioned on this group before
about not being able to perform Admin tasks even though
logged on as the local built in Administrator (no domain),
at home, at work and other people I know as well. Tonight
I tried to view my security logs and was denied access to
do so. The message was.....

"Unable to complete the operation on "security log". A
required privilege is not held by the client".

I searched for the "winlogon.txt". I'm not sure if in
effect I'm looking at the security log, but here's what it
says.

I hope this makes sense to someone out there.

Thanks very much.
********************************************************* *
----Configure User Rights...
Configure Administrators.
Error 1332: No mapping between account names and security
IDs was done.
Cannot find Administrators.
Configure S-1-5-32-551.
Configure S-1-5-32-547.
Configure S-1-5-32-545.
Configure S-1-1-0.
Configure S-1-5-21-1614895754-682003330-839522115-
501.
Configure S-1-5-32-544.
Configure S-1-5-21-1614895754-682003330-839522115-
1000.
Configure S-1-5-21-1614895754-682003330-839522115-
500.
Configure S-1-5-21-1614895754-682003330-839522115-
1002.

User Rights configuration completed with error.




I also looked at the application log. Geez I was allowed
to see that!.....

Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 9/15/2003
Time: 11:55:12 PM
User: N/A
Computer: JUICE
Description:
Security policies are propagated with warning. 0x534 : No
mapping between account names and security IDs was done.

For best results in resolving this event, log on with a
non-administrative account and search
http://support.microsoft.com for "troubleshooting 1202
events".
A user account in one or more Group policy objects (GPOs)
could not be resolved to a SID. This error is possibly
caused by a mistyped nor deleted user account referenced
in either the User Rights or Restricted Groups branch of a
GPO. To resolve this event, contact an administrator in
the domain to perform the following actions:

1.Identify accounts that could not be resolved to a SID:
From the command prompt, type: FIND /I "Cannot find" %
SYSTEMROOT%\Security\Logs\winlogon.log
The string following "Cannot find" in the FIND output
identifies the problem account names.
Example: Cannot find JohnDough.
In this case, the SID for username "JohnDough" could not
be determined. This most likely occurs because the account
was deleted, renamed, or is spelled differently
(e.g. "JohnDoe").

2.Identify the GPOs that contain the unresolvable account
name:
From the command prompt type FIND /I "JohnDough" %
SYSTEMROOT%\Security\templates\policies\gpt*.*
The output of the FIND command will resemble the
following:
---------- GPT00000.DOM
---------- GPT00001.DOM
SeRemoteShutdownPrivilege=JohnDough
This indicates that of all the GPO's being applied
to this machine, the unresolvable account exists only in
one GPO. Specifically, the cached GPO named GPT00001.DOM.
Now we need to determine the friendly name of this
GPO in the next step.

3. Locate the friendly names of each of the GPOs that
contain an unresolvable account name. These GPOs were
identified in the previous step.
From the command prompt, type: FIND /I "[Mapping]" %
SYSTEMROOT%\Security\Logs\winlogon.log
The string following "[Mapping] gpt0000?.dom =" in
the FIND output identifies the friendly names for all
GPO's being applied to this machine.
Example: [Mapping] gpt00001.dom = User Rights
Policy
In this case, the GPO that contains the
unresolvable account (gpt00001.dom) has a friendly name
of "User Rights Policy".

4. Remove unresolved accounts from each GPO that contains
an unresolvable account.
a. Start -> Run -> MMC.EXE
b. From the File menu select "Add/Remove Snap-in."
c. From the "Add/Remove Snap-in" dialog box
select "Add."
d. In the "Add Standalone Snap-in" dialog box
select "Group Policy" and click "Add"
e. In the "Select Group Policy Object" dialog box
click the "Browse" button.
f. On the "Browse for a Group Policy Object"
dialog box choose the "All" tab
g. Right click on the first policy identified in
step 3 and choose edit
h. Review each setting under Computer
Configuration/ Windows Settings/ Security Settings/ Local
Policies/ User Rights
Assignment or Computer Configuration/ Windows
Settings/ SecuritySettings/ Restricted Groups for accounts
identified in step 1.
i. Repeat steps 3g and 3h for all subsequent GPOs
identified in step 3.




.
Click to expand...
.
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Event ID: 1202 14
Annoying 1202 errors 1
Event 643 in Security log every 5 minutes 1
Event ID 1202 2
SCECLI 1202 Event 3
SceCli 1202 5
Group Policy - Computer Policy - When does this get applied? 1
NETWORK SERVICE, LOCAL SERVICE accounts 5

Top